Information Security News mailing list archives
Re: Code Red Tribulation is nigh, Steve Gibson warns
From: InfoSec News <isn () c4i org>
Date: Wed, 1 Aug 2001 04:49:12 -0500 (CDT)
Forwarded by: Paul Cardon <paul () moquijo com> InfoSec News wrote:
In fact, raw sockets have no relevance to this particular worm. I actually have examined it, and while I'm impressed by its compactness and power, and the speed with which it was hacked out, it's clear that the author wanted to know which machines it had infected. Packet spoofing would have frustrated that ambition perfectly. (Oh, and because the .IDA hole which the worm exploits yields system-level access, knowing which among thousands of boxes are infected is a whole lot nastier than any spoofed-packet flood could hope to be.) I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself, has debunked Gibson at length before an ungrateful army of GRC patsies, agrees. "[Gibson] contends Code Red would've been more effective if it used raw sockets. I contend it would've been less effective. The router/spoofing RFCs would've negated some of the zombies by refusing to let them push," Rosenberger says.
It would be so much more ineffective than that. Code Red makes a TCP connection in order to infect other systems. That can't be done from a spoofed source unless you have the ability to reliably predict ISNs (initial sequence numbers). Gibson is choosing to ignore that very important detail. Some NT systems may have weaker (but not trivially guessable) ISNs. Win2k and WinXP systems should be in good shape since Newsham's statistical analysis of ISNs is not really feasible for use in worm code. -paul - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Re: Code Red Tribulation is nigh, Steve Gibson warns InfoSec News (Aug 01)